WPA2 Hacked
-
-
Oh great, guess I'm setting up a Radius Server for my home.
-
Looks like Ubiquiti have an update in Beta at the moment to resolve it.
-
I just read about it too, but it seems some vendors have patched their systems. I checked for Ubiquiti and that article says "One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities."
I can't seem to find a list of which Ubiquiti products have patches available. Can anyone find a link to that?
-
WPA2 and WPA2-Enterprise are equally compromised. So there is simply no remedy to this situation for now besides to remove WPA2 wireless configurations and replace them with another mechanism (RADIUS).
Until a patch is released for your devices that is.
-
At least there's this
One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.
-
Every encryption method that is tied to WPA2 is compromised as well, this just gets worse and worse.
-
@dustinb3403 said in WPA2 Hacked:
Every encryption method that is tied to WPA2 is compromised as well, this just gets worse and worse.
Considering it's a problem in the handshake, I guess I'm not surprised.
-
WPA-TKIP or GCMP are the most vulnerability encryption methods as they allow for additional information to be injected.
-
"Note that our attacks do not recover the password of the Wi-Fi network. They also do not recover (any parts of) the fresh encryption key that is negotiated during the 4-way handshake."
So changing your wireless password does nothing here.
-
Unifi page on latest firmware.
-
I went in to my unifi controller under Settings -> Maintenance -> "Check Firmware Update" and it doesn't seem to be pulling down the new firmware. Should it?
-
@mike-davis said in WPA2 Hacked:
I went in to my unifi controller under Settings -> Maintenance -> "Check Firmware Update" and it doesn't seem to be pulling down the new firmware. Should it?
There was a 3.9 that wasn't pulled in last week either. I'm not sure at what point the controller auto updates (or updates via the button push) the firmware.
In the past, I only got new firmware when updating the Unifi Controller software itself. The Firmware update button is kinda new (though I'm sure this is where JB will tell me it's been in there for years).
-
@dashrender said in WPA2 Hacked:
In the past, I only got new firmware when updating the Unifi Controller software itself. The Firmware update button is kinda new (though I'm sure this is where JB will tell me it's been in there for years).
It has been there since 5.0 was reelased
-
...must be a Monday. News like this only comes on Mondays.
-
The handshake has always been the weak spot of WPA and WPA2. WPA had other issues, but was only even supposed to be a stopgap until WPA2 hardware was readily available.
You can easily negate this entire thing by using PEAP to prevent malicious actors from spoofing disconnect frames that make your devices reconnect and thus require a new 4 way handshake.
-
Also, while this is a serious flaw, it requires a malicious actor on site.
This is not anything that I am worried about at a business.
I will of course patch as soon as non-beta patches are available, but it is not some stupid OMG FUCKING PANIC situation.
-
@jaredbusch said in WPA2 Hacked:
@dashrender said in WPA2 Hacked:
In the past, I only got new firmware when updating the Unifi Controller software itself. The Firmware update button is kinda new (though I'm sure this is where JB will tell me it's been in there for years).
It has been there since 5.0 was reelased
Oh additionally, your UniFi instance will download updates on a schedule even without you pressing that button or updating the version.
-
@jaredbusch said in WPA2 Hacked:
@jaredbusch said in WPA2 Hacked:
@dashrender said in WPA2 Hacked:
In the past, I only got new firmware when updating the Unifi Controller software itself. The Firmware update button is kinda new (though I'm sure this is where JB will tell me it's been in there for years).
It has been there since 5.0 was reelased
Oh additionally, your UniFi instance will download updates on a schedule even without you pressing that button or updating the version.
Isn't this only enabled by the admin and not by default? (I'll have to double check my controller)
-
@dustinb3403 said in WPA2 Hacked:
@jaredbusch said in WPA2 Hacked:
@jaredbusch said in WPA2 Hacked:
@dashrender said in WPA2 Hacked:
In the past, I only got new firmware when updating the Unifi Controller software itself. The Firmware update button is kinda new (though I'm sure this is where JB will tell me it's been in there for years).
It has been there since 5.0 was reelased
Oh additionally, your UniFi instance will download updates on a schedule even without you pressing that button or updating the version.
Isn't this only enabled by the admin and not by default? (I'll have to double check my controller)
There is no button for it to my knowledge, but I am almost certain I read that in the guide. My devices occasionally have firmware updates when I have not clicked the button, nor updated the controller itself.
